Every year more and more of the world's data is processed and stored in remote locations using “cloud-based” architectures. In addition, mobile computing systems, such as smart phones, are often the preferred mechanism for accessing data. Consequently, protecting access to sensitive data and information has become increasingly difficult and critical. This is particularly true in light of the fact that unauthorized parties, e.g., hackers, recognizing the situation, have become more and more sophisticated and determined to gain access to sensitive data.
As a result of the situation described above, many providers of databases containing sensitive data, such as financial institutions and providers of financial management systems, are highly motivated to find additional ways to prevent unauthorized users from accessing their customer's accounts. To answer this need, multi-factor authentication systems have been developed that require a party requesting access to sensitive data to provide two or more types of authentication before they are granted access to the sensitive data. However, in light of the migration to mobile computing discussed above, many multi-factor authentication methods currently used to protect sensitive data are difficult to implement, and, in some cases, are simply impractical.
As one example, one multi-factor authentication method currently used to protect sensitive data in remote databases is to generate one-time passcodes that are sent to a data requesting party's telephone, or other computing system. However, the passcodes can be difficult to read, hear, or otherwise obtain. In addition, legitimate database users often mistakenly miss-key the passcodes, and/or otherwise make data entry mistakes, when entering the supplied passcodes into the database access websites. Unfortunately, this generally means the process must be repeated from the beginning and a new passcode must be generated, provided, and entered once access is denied due to a miss-keyed passcode. This is an inconvenient and annoying situation for legitimate database users trying to assess their own sensitive data.
What is needed is a method and system for providing multi-factor authentication that does not require the use of keyed-in passcodes, is simple to use, and leverages the fact that most data access requesting parties have access to two or more computing systems, and/or mobile computing systems.